Pin Me

Where Paypal Fails at Security

written by: Aaron R.•edited by: Bill Fulks•updated: 6/30/2011

I personally like the PayPal service, but it certainly could use a few updates. While they are often blamed for things that are just collateral damage, their security software and dispute resolution seems a bit ill-equipped for this day and age.

  • slide 1 of 5

    PayPal isn't a horrible service. I feel that it gets a bit too much heat on the Internet for decisions that it can't help. Like it or not, payment processors have to comply with a lot of standards and keep an incredibly vigilant net open for money laundering operations or any other fishy activity. That said, any net will inevitably pull up a lot of innocent people.

    That doesn't mean that they don't have a lot of issues. PayPal's security problems are a huge issue that shouldn't be ignored, and I really would like a little bit of PayPal quality control for its dispute processes.

  • slide 2 of 5

    A Devil's Advocate

    A big complaint that floats around is PayPal's love of freezing or limiting accounts. It wouldn't take long to find a big story, or any number of smaller stories, about those who suffered from an untimely freeze. The biggest concern is the lack of transparency in these freezes though. If you manage to trip any number of fraud alerts, then your account can be locked. This is at best annoying, and at worst, a disaster. PayPal's quality is a bit lacking in that regard. People should always be able to know the rules of the game that they're in.

    I do feel a need to play Devil's Advocate though, as PayPal, while being far from perfect, isn't exactly going around freezing people's accounts for fun. I have yet to see a freeze that was truly arbitrary (if you have one, feel free to post it below, I'd genuinely like to see it). There is always some logic to it, even if it's arbitrary.

    For example, gamers may know the story surrounding the seizure of the developer of Minecraft's main account. The fund held 600,000 Euros in it, most of which were received in a short period of time due to a recent media boom on the game. PayPal locked down the account until it could verify ownership, and ensure that some sort of reserve was set up to allow for refunds to occur. This is all normal and fine. It's obviously frightening for a new developer, but keeping enough cash on hand to cover refunds isn't an absurd request, and neither is verifying that a massive influx of money into an account isn't a scam or money laundering operation.

    I've suffered similar limits (obviously not on the same scale) while selling on eBay. New sellers, or even established sellers resuming business, will often be limited from removing all of their money from the account. This is done, because it is a well known scam to sell an expensive item, get the payment into your account, drain it into a bank account and then close the account and run. There is no recourse once the accounts are shut down.

    And, one final point in their favor, is that I've never heard a story of them actually “stealing” money. This is always the claim of every story I've heard of a frozen account, as the owner and any others involved scream theft, but each of those stories ends with the person sending the requested information to support to unlock the account, or just closing the account and getting the money back as a check after the waiting period for chargebacks is over.

    That's enough on their side though. I know they're far from angels.

  • slide 3 of 5

    PayPal's Dispute Problems

    To keep up this chain, let's just note that a major part of frustration is that PayPal doesn't seem well equipped to deal with electronic purchases. I know that a good way to win any dispute, at least a year or two ago, was to state that it was the sale of an electronic good, which was delivered. PayPal would then usually drop the case.

    They seem fairly ill-equipped to handle the sale of games, services, etc. That came up in the Minecraft case, when the sales and delivery of something like a game couldn't be proven through the usual methods. Considering the growth of electronic sales, they seem to be a bit slow to change.

    Dispute resolution as a whole can be iffy. Sellers are at risk of a buyer just lying and saying that it was never picked up. Signature confirmation can help, but for smaller sales it is usually an unnecessary annoyance. Even if the signature is confirmed, there seems to be no defense for the buyer taking pictures of their old broken item and saying that that's the one that came. There's also no practical defense against false claims of hacked accounts, unless you are able to always stick to verified accounts and physical products.

    And buyers can find themselves in tricky situations too. They still have to prove that they didn't receive the right item, if the seller decides to mail them a brick instead of a PS3, or an iPod frame instead of an iPod. It's just not set up well to handle the nuances of scams and more complicated disputes. There's no certainty to it.

  • slide 4 of 5

    PayPal's Security Problems

    PayPal Security Has Some Surprising Holes, Considering Its Strengths Finally, while the article has focused on freezes and disputes, it's worth covering their phishing failures. PayPal phishing is a major issue. If someone gets your account and drains it, then you'll be in rough shape. Yet, PayPal offers very little real protection. They send out warnings, and tell people the usual tips to avoid phishing, yet they don't do anything on their site.

    One of the main ways that people have their login information stolen is through a spoof site. Hackers set up a fake login page, and then send them scary emails telling them that they have to login through this page or risk losing their entire account. Just about every serious online banking site that I know of offers a customized login page. You pick a picture, or set your own, and use a catchphrase below it. Since only the bank has that information for your account, you'll know when you're on a legitimate login page.

    When I say every legitimate bank, I'd just like to note that my local credit union even offers this. The fact that PayPal doesn't offer a two-stage login with this phishing protection is curious, to say the least.

    Overall, I'd guess I'd like to keep the record straight. PayPal has major issues with quality control, especially with their regard for anti-phishing controls and disputes. They aren't as bad as some would make them out, but they certainly have room to grow.

  • slide 5 of 5

    References

    Source: Author's own PayPal experiences and knowledge

    Image Credit: Wikimedia Commons/Bkkbrad